SDK for PHP 3.x

CredentialProvider
in package

Credential providers are functions that accept no arguments and return a promise that is fulfilled with an {@see \Aws\Credentials\CredentialsInterface} or rejected with an {@see \Aws\Exception\CredentialsException}.

use Aws\Credentials\CredentialProvider; $provider = CredentialProvider::defaultProvider(); // Returns a CredentialsInterface or throws. $creds = $provider()->wait();

Credential providers can be composed to create credentials using conditional logic that can create different credentials in different environments. You can compose multiple providers into a single provider using CredentialProvider::chain. This function accepts providers as variadic arguments and returns a new function that will invoke each provider until a successful set of credentials is returned.

// First try an INI file at this location. $a = CredentialProvider::ini(null, '/path/to/file.ini'); // Then try an INI file at this location. $b = CredentialProvider::ini(null, '/path/to/other-file.ini'); // Then try loading from environment variables. $c = CredentialProvider::env(); // Combine the three providers together. $composed = CredentialProvider::chain($a, $b, $c); // Returns a promise that is fulfilled with credentials or throws. $promise = $composed(); // Wait on the credentials to resolve. $creds = $promise->wait();

Table of Contents

Constants

ENV_ACCOUNT_ID  = 'AWS_ACCOUNT_ID'
ENV_ARN  = 'AWS_ROLE_ARN'
ENV_KEY  = 'AWS_ACCESS_KEY_ID'
ENV_PROFILE  = 'AWS_PROFILE'
ENV_ROLE_SESSION_NAME  = 'AWS_ROLE_SESSION_NAME'
ENV_SECRET  = 'AWS_SECRET_ACCESS_KEY'
ENV_SESSION  = 'AWS_SESSION_TOKEN'
ENV_SHARED_CREDENTIALS_FILE  = 'AWS_SHARED_CREDENTIALS_FILE'
ENV_TOKEN_FILE  = 'AWS_WEB_IDENTITY_TOKEN_FILE'

Methods

assumeRole()  : callable
Credential provider that creates credentials using assume role
assumeRoleWithWebIdentityCredentialProvider()  : callable
Credential provider that creates credentials by assuming role from a Web Identity Token
cache()  : callable
Wraps a credential provider and saves provided credentials in an instance of Aws\CacheInterface. Forwards calls when no credentials found in cache and updates cache with the results.
chain()  : callable
Creates an aggregate credentials provider that invokes the provided variadic providers one after the other until a provider returns credentials.
defaultProvider()  : callable
Create a default credential provider that first checks for environment variables, then checks for assumed role via web identity, then checks for cached SSO credentials from the CLI, then check for credential_process in the "default" profile in ~/.aws/credentials, then checks for the "default" profile in ~/.aws/credentials, then for credential_process in the "default profile" profile in ~/.aws/config, then checks for "profile default" profile in ~/.aws/config (which is the default profile of AWS CLI), then tries to make a GET Request to fetch credentials if ECS environment variable is presented, finally checks for EC2 instance profile credentials.
ecsCredentials()  : EcsCredentialProvider
Credential provider that creates credentials using ecs credentials by a GET request, whose uri is specified by environment variable
env()  : callable
Provider that creates credentials from environment variables AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN.
fromCredentials()  : callable
Create a credential provider function from a set of static credentials.
getCredentialsFromSource()  : mixed
ini()  : callable
Credentials provider that creates credentials using an ini file stored in the current user's home directory. A source can be provided in this file for assuming a role using the credential_source config option.
instanceProfile()  : InstanceProfileProvider
Credential provider that creates credentials using instance profile credentials.
memoize()  : callable
Wraps a credential provider and caches previously provided credentials.
process()  : callable
Credentials provider that creates credentials using a process configured in ini file stored in the current user's home directory.
shouldUseEcs()  : bool
sso()  : callable
Credential provider that retrieves cached SSO credentials from the CLI

Constants

ENV_ACCOUNT_ID

public mixed ENV_ACCOUNT_ID = 'AWS_ACCOUNT_ID'

ENV_ARN

public mixed ENV_ARN = 'AWS_ROLE_ARN'

ENV_KEY

public mixed ENV_KEY = 'AWS_ACCESS_KEY_ID'

ENV_PROFILE

public mixed ENV_PROFILE = 'AWS_PROFILE'

ENV_ROLE_SESSION_NAME

public mixed ENV_ROLE_SESSION_NAME = 'AWS_ROLE_SESSION_NAME'

ENV_SECRET

public mixed ENV_SECRET = 'AWS_SECRET_ACCESS_KEY'

ENV_SESSION

public mixed ENV_SESSION = 'AWS_SESSION_TOKEN'

ENV_SHARED_CREDENTIALS_FILE

public mixed ENV_SHARED_CREDENTIALS_FILE = 'AWS_SHARED_CREDENTIALS_FILE'

ENV_TOKEN_FILE

public mixed ENV_TOKEN_FILE = 'AWS_WEB_IDENTITY_TOKEN_FILE'

Methods

assumeRole()

Credential provider that creates credentials using assume role

public static assumeRole([array<string|int, mixed> $config = [] ]) : callable
Parameters
$config : array<string|int, mixed> = []

Array of configuration data

Tags
see
AssumeRoleCredentialProvider

for $config details.

Return values
callable

assumeRoleWithWebIdentityCredentialProvider()

Credential provider that creates credentials by assuming role from a Web Identity Token

public static assumeRoleWithWebIdentityCredentialProvider([array<string|int, mixed> $config = [] ]) : callable
Parameters
$config : array<string|int, mixed> = []

Array of configuration data

Tags
see
AssumeRoleWithWebIdentityCredentialProvider

for $config details.

Return values
callable

cache()

Wraps a credential provider and saves provided credentials in an instance of Aws\CacheInterface. Forwards calls when no credentials found in cache and updates cache with the results.

public static cache(callable $provider, CacheInterface $cache[, string|null $cacheKey = null ]) : callable
Parameters
$provider : callable

Credentials provider function to wrap

$cache : CacheInterface

Cache to store credentials

$cacheKey : string|null = null

(optional) Cache key to use

Return values
callable

chain()

Creates an aggregate credentials provider that invokes the provided variadic providers one after the other until a provider returns credentials.

public static chain() : callable
Return values
callable

defaultProvider()

Create a default credential provider that first checks for environment variables, then checks for assumed role via web identity, then checks for cached SSO credentials from the CLI, then check for credential_process in the "default" profile in ~/.aws/credentials, then checks for the "default" profile in ~/.aws/credentials, then for credential_process in the "default profile" profile in ~/.aws/config, then checks for "profile default" profile in ~/.aws/config (which is the default profile of AWS CLI), then tries to make a GET Request to fetch credentials if ECS environment variable is presented, finally checks for EC2 instance profile credentials.

public static defaultProvider([array<string|int, mixed> $config = [] ]) : callable

This provider is automatically wrapped in a memoize function that caches previously provided credentials.

Parameters
$config : array<string|int, mixed> = []

Optional array of ecs/instance profile credentials provider options.

Return values
callable

ecsCredentials()

Credential provider that creates credentials using ecs credentials by a GET request, whose uri is specified by environment variable

public static ecsCredentials([array<string|int, mixed> $config = [] ]) : EcsCredentialProvider
Parameters
$config : array<string|int, mixed> = []

Array of configuration data.

Tags
see
EcsCredentialProvider

for $config details.

Return values
EcsCredentialProvider

env()

Provider that creates credentials from environment variables AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN.

public static env() : callable
Return values
callable

fromCredentials()

Create a credential provider function from a set of static credentials.

public static fromCredentials(CredentialsInterface $creds) : callable
Parameters
$creds : CredentialsInterface
Return values
callable

getCredentialsFromSource()

public static getCredentialsFromSource([mixed $profileName = '' ][, mixed $filename = '' ][, mixed $config = [] ]) : mixed
Parameters
$profileName : mixed = ''
$filename : mixed = ''
$config : mixed = []

ini()

Credentials provider that creates credentials using an ini file stored in the current user's home directory. A source can be provided in this file for assuming a role using the credential_source config option.

public static ini([string|null $profile = null ][, string|null $filename = null ][, array<string|int, mixed>|null $config = [] ]) : callable
Parameters
$profile : string|null = null

Profile to use. If not specified will use the "default" profile in "~/.aws/credentials".

$filename : string|null = null

If provided, uses a custom filename rather than looking in the home directory.

$config : array<string|int, mixed>|null = []

If provided, may contain the following: preferStaticCredentials: If true, prefer static credentials to role_arn if both are present disableAssumeRole: If true, disable support for roles that assume an IAM role. If true and role profile is selected, an error is raised. stsClient: StsClient used to assume role specified in profile

Return values
callable

instanceProfile()

Credential provider that creates credentials using instance profile credentials.

public static instanceProfile([array<string|int, mixed> $config = [] ]) : InstanceProfileProvider
Parameters
$config : array<string|int, mixed> = []

Array of configuration data.

Tags
see
InstanceProfileProvider

for $config details.

Return values
InstanceProfileProvider

memoize()

Wraps a credential provider and caches previously provided credentials.

public static memoize(callable $provider) : callable

Ensures that cached credentials are refreshed when they expire.

Parameters
$provider : callable

Credentials provider function to wrap.

Return values
callable

process()

Credentials provider that creates credentials using a process configured in ini file stored in the current user's home directory.

public static process([string|null $profile = null ][, string|null $filename = null ]) : callable
Parameters
$profile : string|null = null

Profile to use. If not specified will use the "default" profile in "~/.aws/credentials".

$filename : string|null = null

If provided, uses a custom filename rather than looking in the home directory.

Return values
callable

shouldUseEcs()

public static shouldUseEcs() : bool
Return values
bool

sso()

Credential provider that retrieves cached SSO credentials from the CLI

public static sso([mixed $ssoProfileName = 'default' ][, mixed $filename = null ][, mixed $config = [] ]) : callable
Parameters
$ssoProfileName : mixed = 'default'
$filename : mixed = null
$config : mixed = []
Return values
callable
On this page